Re: [Tails-dev] Need hostnames suggestions for more resilie…

Delete this message

Reply to this message
Autor: anonym
Data:  
A: The Tails public development discussion list
Assumpte: Re: [Tails-dev] Need hostnames suggestions for more resilienthtpdate pools
01/21/2012 03:28 PM, anonym:
> 01/21/2012 03:21 PM, intrigeri:
>> Thoughts before we merge this branch into stable and devel?
>
> No complaints from my side.


Now I have complaints :)

It turns out your wget test from earlier in this test isn't bullet
proof... unless you run squeeze (I run wheezy). Suqeeze's wget (1.12)
produces cert errors for several of our new pool members. Most can be
fixed by prefixing with www. I tried upgrading wget to unstable's wget
(1.13.4 -- this also pulled libc6 libc-bin multiarch-support libgnutls26
libgpg-error libp11-kit0_ locales as deps from unstable) which made all
of them work.

Here are are the details:

First of all, sarava.org seems to have issues at the moment. I get
"Proxy tunneling failed: Couldn't connect: SOCKS error: host
unreachable". I can't connect to it cleanly in the clear either. Let's
ignore this one for now.

Fixable (stupid cert errors):
-----------------------------

PAL:
1984.is           -->  www.1984.is
indymedia.org     -->  chavez.indymedia.org
planet.squat.net  -->  squat.net
www.boum.org      -->  boum.org


NEUTRAL:
mozilla.org       --> www.mozilla.org
stackexchange.com --> www.stackexchange.com


FOE:
www.tumblr.com    --> tumblr.com


If you try wget:ing tumblr.com it will result in some redirects and then
an error, but it still works in htpdate.

Not fixable (except by upgrading wget):
---------------------------------------

PAL:
www.ccc.de
www.nadir.org

Bot of these yields an error like this:

ERROR: cannot verify www.ccc.de’s certificate, issued by “/O=CAcert
Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root”: Unable to
locally verify the issuer’s authority.

(BTW, htpdate reports the error "Could not get any Date header" for all
different kinds of cert errors I've encountered, which is a bit
misleading. "Could not verify SSL certificate" would be more honest.)

Since fetching wget (and its deps in particular) from unstable likely is
out of the question, I guess we have to update the hostnames as detailed
above, and find two new PALs (or three in case sarava.org doesn't get
its act together). Potential replacements (tested!):

* www.i2p2.de
* epic.org
* www.privacyinternational.org

Otherwise I must say that feature/more_resilient_htpdate seem to work
perfectly now.

Cheers!